What is DNS Tunneling?

DNS tunneling is a misuse of DNS. Domain Name Servers (DNS) have been called the internet’s equivalent of a phone book. Rather than remembering an IP address with up to twelve digits, you just need to know the domain name associated with the IP address. DNS tunneling attempts to hijack the protocol to use it as a covert communications protocol or a means of data exfiltration. It is a broadly overlooked security threat.

An Overview of DNS

Years ago Jon Postel maintained the Assigned Numbers List at USC’s Information Sciences Institute. ARPANET users found they could easily give names to the numerical addresses of computers using the HOSTS.TXT file. That method still works today. Over time this method became too slow and cumbersome. In response, Paul Mockapetris created the Domain Name System.

DNS uses a tree data structure with a hierarchy of domains. Top level domains, such as .com and .net, remain on the right in a domain name. Subdomains extend to the left, separated by periods. The specifications for DNS are maintained by IETF, and a variety of RFCs give detail to the protocol.

A white paper from SANS Institute gives a good description of DNS tunneling and how to detect it. In their overview of DNS, they highlight a few of the more than 30 record types in DNS technology:

  • “A” record — used to perform a forward lookup to find one or more IP addresses for that domain name.
  • “AAAA” record — used to map a domain to an ipv6 address
  • “CNAME” record — used to map a domain name to the canonical name
  • “MX” record — used to define mail servers for a domain
  • “NS” record — used to define authoritative name servers for a domain
  • “PTR” or pointer record — used to map an IP address to its domain name. This is commonly referred to as a reverse lookup.
  • “TXT” record — used to return text data

Under the Radar

Other DNS attacks are better known than DNS tunneling. TechTarget lists five of them. NetworkWorld offers a top ten list in a slide presentation. Too often DNS tunneling slips under the radar and is ignored.

DNS tunneling was created to bypass the captive portals of Wi-Fi providers. While that may not be malicious on its own, it’s certainly not ethical. Hackaday called an exercise to use drive-by hotspot hacking (for a makeshift GPS) an “ethical grey zone”. Does the fact that they admitted it in public make it seem more justified? There may be valid reasons to try to get past a proxy using DNS tunneling – say, if you have to hack into your own network.  But usually the purposes are more nefarious.

DNS tunneling uses other protocols to tunnel through DNS queries and responses. The attacker may use SSH, TCP, or HTTP. The internet needs DNS, and port 53 generally stays open in the firewall for that reason. Hackers have their choice of a dozen or so DNS tunneling applications to choose from on the web, but we won’t mention them here.

As a communications channel, DNS tunneling is slow and inefficient. DNS traffic has limited bandwidth. It uses the unreliable layer-four protocol UDP. So why use DNS tunneling? DNS is a well-established protocol. Cybercriminals who know what they’re doing can potentially wreak havoc even with small data streams.

Detecting DNS Tunneling

The SANS whitepaper suggests two main categories of DNS tunneling detection:  payload analysis and traffic analysis. With payload analysis, you can detect specific DNS tunneling utilities. Traffic analysis might look for specific attributes such as volume of DNS traffic, number of hostnames per domain, geographic location, and domain history.

DNS is a trusted protocol. But according to an article from InfoWorld, the query/reply nature of DNS contributes to its vulnerability. And hackers don’t need to be experts. There are complete toolkits available for their evil deeds. In the article, Craig Sanderson offers some suggestions to defend against DNS tunneling:

  1. Use a tool that will detect both preconfigured toolkits and other techniques
  2. Blacklist destinations known for data exfiltration
  3. Include a DNS firewall that looks for DNS tunneling
  4. Use real-time analytics for automated monitoring
  5. Employ a stand-alone solution for DNS protection
  6. Use detection tools that can automatically terminate malicious queries

Infosec Institute offers another helpful list. Among their suggestions, they say to look for requests and queries that have more than 64 characters. This is likely DNS tunneling traffic. Use the split horizon DNS concept to separate internal addresses from the internet. Look for a large number of DNS TXT. Use next generation firewalls like Paloalto and Fire Eye.


Obviously we can’t solve everyone’s DNS security issues here. Every IT infrastructure is different. How and where you apply DNS protections is up to you. The best we can do is make you aware of a dangerous hack that might not get as much attention as others. DNS tunneling is another in a long list of things to watch out for as you safeguard your network. Best of luck with that.

Prevent your next outage now!


Other articles you might like to read: